Professional Documents
Culture Documents
Brksec 2445
Brksec 2445
and Troubleshooting
Andrea Bertorello, Security Consulting Engineer
linkedin.com/in/andrea-bertorello/
BRKSEC-2445
Abstract
Endpoint Security is a pillar of all the organisations and the trend is the
increase for endpoint security and compliance of the endpoints connected
the organization networks. ISE together with Cisco Secure Client and ISE
posture module, is capable of verifying and remediating a vast suite of
criteria before an endpoint is allowed to the network access. Now with the
upcoming ISE 3.2 there will be multiple ISE posture possible flows and a new
Posture Script Conditions. With this session you will be able to understand
the different possible posture flows and extend the posture coverage to new
endpoints earlier not covered, together with some real case scenarios and
most common issues that can affect your implementation, but can be solved
handily.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
About me
• AAA TAC Engineer
Warning!
Italian accent ahead
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Icon Used Throught the Presentation
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
MTS – Meet the Speaker – Area 2
Let’s continue the discussion/Q&A
Tuesday, Feb 7 12:20 -12:50 PM
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Introduction to DEMO company
• ISE Posture from 10000 meters
Agenda • ISE Posture Journey
• Implementation and Troubleshooting
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Session Objectives
Session will cover: Session will not cover:
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Vigilance on what is on your network
is just as important as who is on the
network. Therefore, posture is so
important.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Based on a True
Story
Introduction to our scenario
How to attain and maintain endpoint compliance as per the organization’s
security policy ?
Diana
Amsterdam HQ
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
ISE Posture - Theory
ISE Posture from 10000 feet
ISE
AnyConnect ISE
Foundation
ISE
Remediation Servers
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Posture Lifecycle - Detailed
Endpoint Network Access Device ISE
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Posture and Cisco COA types
Two main CoA types:
▪ COA Reauth – this type of COA is used for Wired and Warless NADs, as a result of successful
COA NAD will initiate full authentication process.
▪ COA Push – this type of COA are used by ASA for posture over VPN use-case. At time of
posture over VPN re-authentication is impossible as it will cause disconnect for end user.
Because of this COA Push
contain new authorization attributes. This allows NAD to apply new access-level straight away
without user disconnect.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
ISE Posture Flow types
Redirect based Non-redirect based
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
ISE Posture Flow types - comparison
Redirect Non-Redirect
Initial Authentication
or Authorization Redirect ACL and URL ACL/VLAN
Client Provisioning
Portal
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Redirect best practices Wired
When client initiate http session NAD is intercepting and returning url-redirect
as new page location
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Redirect best practices Wireless
▪ AAA override enabled – this will allow WLC to apply Redirect ACL and
Redirect URL to client
▪ NAC=Radius NAC/ISE – without this option COA won’t be supported for
WLAN, and this will prevent applying of redirect attributes
▪ Redirect ACL/Airspace ACL – the same recommendation as for switches.
Protection provided by redirect ACL is enough
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
ISE Posture Journey
ISE Posture Journey
Posture Updates
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Posture Updates
ISE
Deleted default posture elements are not created again during next updates
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Posture Updates
Posture Updates
Offline Updates: You can also update Cisco ISE offline from a file on your local
system, which contains the latest archives of updates.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
ISE Posture Journey: Global Settings
Posture Updates
Global Settings
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Global Settings
Global Settings
What if client
does not support
posutre ?
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Global Settings
Global Settings
Posture Lease
Agentless Plugin
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Endpoint Posture Attributes – Posture Lease
Posture lease is a feature which allows ISE to store endpoint posture status (Compliant) for
up to 365 day
When endpoint is in Posture lease ISE assigns authorization policy with ‘Compliant’ status
right-away
AnyConnect is NOT aware about the lease. To display proper posture status PSN discovery
is performed. This discovery is example of valid cases when redirection does no happen in
Redirect-Based environment.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Endpoint Session Attributes – Posture Status
Initial posture state of the session determined according to below diagram
Non-Compliant
No
Unknown Compliant
Posture Updates
Global Settings
Client Provisioning
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Client Provisioning
Agentless
AnyConnect
ISE
Temporal Agent
AnyConnect Stealth
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Client Provisioning
ISE
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Client Provisioning
Posture Lease
Conditions
Periodic Reassessments (PRA)
Grace Period
Deployed by ISE or VPN head-
end
Manual Remediation
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Client Provisioning
ISE
Background Service
No user interaction
Limited Remediations
Anyconnect
Deployed by ISE or VPN head-
end
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Client Provisioning
Contractors
John
ISE
Guest
Bob
Agent Removed
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Client Provisioning
Recognizing the new IP address requires root privileges, but the Temporal Agent runs as
a user process.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Client Provisioning
Agentless posture
Windows macOS
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Client Provisioning
Posture Agentless
Client NAD ISE
ISE
Endpoint Probing
PowerShell PowerShell
>_ >_
Script push
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Client Provisioning
Posture Agentless
Client NAD ISE
Script execution
PowerShell
Shell (.sh)
ISE
>_
ISE Admin cert
Requirement List
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Client Provisioning
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Client Provisioning
Visibility
Time to
implement
More
Protection
Specific
OS, Remediation, Reassessment, Checks
Capability
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
✅ Supported Client Provisioning
Posture Deployment Options ❗ Limitations
❌ Not Supported
Anti-Malware Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Firewall Installation Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Application Inventory ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Hardware Inventory ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Process Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Dictionary Conditions ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Application Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
File Checks ✅ ✅ ❗ ✅ ✅ ✅ ✅ ❗ ✅
Service Checks ✅ ✅ ❌ ✅ ✅ ✅ ❗ ✅ ❗
Disk Encryption ✅ ✅ ❌ ✅ ✅ ❗ ❗ ❗ ❗
Patch Management ✅ ✅ ❗ ✅ ✅ ❗ ❗ ❗ ❗
Registry Checks ✅ N/A N/A ✅ N/A ✅ N/A ❗ N/A
USB Checks ✅ ❌ ❌ ✅ ❌ ✅ ❌ ✅ ❌
WSUS remediation (legacy) ✅ N/A N/A ✅ N/A ❌ ❌ ❌ ❌
Auto,
Remediation Manual Partial Partial Part Auto Partial Text Text ❌ ❌
Reassessment ✅ ✅ ✅ ✅ ✅ ❌ ❌ ❌ ❌
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Client Provisioning
Client Provisioning
Resources AnyConnect Profile Client Provisioning Policy
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Client Provisioning
Client Provisioning
Resources AnyConnect Profile Client Provisioning Policy
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Client Provisioning
Client Provisioning
Resources AnyConnect Profile Client Provisioning Policy
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Client Provisioning
Client Provisioning
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Client Provisioning
Client Provisioning
Resources AnyConnect Profile Client Provisioning Policy
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Client Provisioning
Client Provisioning
Resources AnyConnect Profile Client Provisioning Policy
Configuration Name
Compliance Module
Modules
Profile AC
Client Provisioning
Resources AnyConnect Profile Client Provisioning Policy
Specify the
AnyConnect
Agent
Configuration
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Portal settings adjustment
▪ Guest Portal – posture can be executed as part of the Guest-Flow. This can be done on ‘Self-
Registered’ and ‘Sponsored’ guest portals.
Hot-Spot’ portal is not supported for posture.
Navigate to Work Centers > Guest Access > Portal & Components > Guest Portals
Open portal on which you would like to enable posture and navigate to section ‘Guest Device Compliance
Settings’. After posture is enabled two additional components are added to the portal ‘block diagram’ on the
right
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Client Provisioning
PowerShell
Agentless
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
ISE Posture Journey: Configuration
Global Settings
Client Provisioning
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Posture Policies
Remediation
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Posture Policies
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Endpoint Posture Attributes – Grace Period
Grace period feature allows endpoint to get a ‘Compliant’ network access when it become
Non-Compliant after being compliant in the past
Remaining Grace Period * - stored in oracle config DB table in special table. ISE starts
populating LAST_GRACE_EXPIRY after endpoint has been marked as non-compliant while
being within Last Known Posture Compliant State
* - While Grace Period feature itself has been added in 2.4 we started to store Remaining Grace Period in Oracle DB
starting from 2.6. In 2.4 Remaining Grace Period stored in special In-Memory cache.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Posture Policies
Anti-Malware
Employee
Small branch
Firewall Enabled
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Posture Policies
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Posture Policies
Dynamic requirements
Response
Are all corporate CA certs and
no rogue CA certs installed ? ISE
[…]
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Posture Policies
ISE
Establish trust
PSN
AnyConnectLocalPolicy.xml SHA-256
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Posture Policies
Fingerprint=B9:42:7F:85:09:18:30:40:06:0B:DB:9C:48:36:F0:60:90:75:A
B:D3:E9:83:AB:1A:BF:01:8F:6E:F0:11:9A:B5
<TrustedISECertFingerprints>
<fingerprint>
<algorithm>SHA-256</algorithm>
<hash>30:5D:A8:0E:3B:36:6C:3A:04:0C:DF:66:D0:3
B:9B:DE:94:B8:87:ED:17:5F:B7:A4:94:BF:3A:29:A5:7B:35:D0</hash>
</fingerprint>
</TrustedISECertFingerprints>
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Posture Policies
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Posture Policies
Elevated privileges
%ALLUSERPROFILE%\Cisco\Cisco
%LOCALAPPDATA%\Cisco\Cisco
Anyconnect Secure Mobility Client\ISE
Anyconnect Secure Mobility Client\scripts
Posture\scripts
~/.cisco/iseposture/scripts /opt/cisco/anyconnect/iseposture/scripts
Download the
script
Script file hash
Filename match
match
Reuse the
existing script
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Posture Policies
ISE
Exit code
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Posture Policies
Posture Script Exit Codes
Exit Code Reason
0 Script execution was successful and exited with success
>0 Script execution was successful however, exit code returned the failure code
-1 Script execution check wasn’t attempted
-2 Data integrity failed
-3 Error in Script download
-4 Script has verification failed
-5 Script executed, however, Script execution didn’t complete within specified timeout
-6 Generic failure (not covered as part any failures)
-7 Script type is not supported
-8 Script failed to launch
-9 ISE certificate is not trusted
Remember: in case script exit code is out of bound then it is set to 255
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
ISE Posture Journey: Access Policy
Compliant
NonCompliant
Unknown
Employee
Script for CA
Small branch
Firewall Enabled
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Employee – Agent based
Agent Posture – Employee Client Provisioning
AC Posture Profile
Posture Updates
AC Package + cisco.com
Compliance Module
Client Provisioning
AD: Agent_Posture
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Agent Posture – Employee Posture Configuration
Posture Condition
.ps1 .sh
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Agent Posture – Employee Posture Configurationç
Posture Requirements
Posture Policy
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Agent Posture: Final Step
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Time to test
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Script Troubleshoot
1. Prerequisites check
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Script Troubleshoot
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Script Troubleshoot
1. Prerequisites check
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Script Troubleshoot
1. Prerequisites check
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Script Troubleshoot
1. Prerequisites check
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Script Troubleshoot
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Script Troubleshoot
1. Prerequisites check
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Script Troubleshoot
1. Prerequisites check
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Script Troubleshoot
4. Manually run the script on the endpoint
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Running script is disabled on
this system
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Script Troubleshoot
4. Manually run the script on the endpoint
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Troubleshoot Posture by ISE logs - iseLocalStore
By default for 1 day each ISE node stores all syslog messages of certain logging categories locally:
CLI:
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Troubleshoot Posture by ISE logs– iseLocalStore
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
What we have on ISE for posture - PrRT
Logs: prrt-server.log with runtime-aaa in DEBUG
Example: we have a posture COA failure and would like to see more details in the logs (VPN example):
ade # cat prrt-server.log | grep -a 'CallingStationID=10.61.238.240.*RADIUS PACKET.*Code='
Radius,2022-10-23 12:22:40,492,DEBUG,0x7f496a3e6700,cntx=0027628155,sesn=skuchere-ise26-1/384213726/11919,CallingStationID=10.61.238.240,RADIUS PACKET::
Code=1(AccessRequest) Identifier=79 Length=673
Radius,2022-10-23 12:22:44,122,DEBUG,0x7f496a2e5700,cntx=0027628155,sesn=skuchere-ise26-
1/384213726/11919,CPMSessionID=c0a81c010073e0005f92af8b,user=bob@example.com,CallingStationID=10.61.238.240,RADIUS PACKET:: Code=2(AccessAccept)
Identifier=79 Length=471
Radius,2022-10-23 12:22:44,159,DEBUG,0x7f496a1e4700,cntx=0027628189,sesn=skuchere-ise26-
1/384213726/11921,CPMSessionID=c0a81c010073e0005f92af8b,CallingStationID=10.61.238.240,RADIUS PACKET:: Code=4(AccountingRequest) Identifier=81 Length=728
Radius,2022-10-23 12:22:44,169,DEBUG,0x7f496a6e9700,cntx=0027628189,sesn=skuchere-ise26-
1/384213726/11921,CPMSessionID=c0a81c010073e0005f92af8b,user=bob@example.com,CallingStationID=10.61.238.240,RADIUS PACKET:: Code=5(AccountingResponse)
Identifier=81 Length=20,RADIUSHandler.cpp:2214
RadiusClient,2022-10-23 12:23:03,481,DEBUG,0x7f495e92c700,cntx=0027628350,sesn=1a8cd632-9b18-4076-af60-3eef7af79cb4,CallingStationID=10.61.238.240, RADIUS
PACKET: Code=43 (CoARequest) Identifier=25 Length=205
RadiusClient,2022-10-23 12:23:03,485,DEBUG,0x7f496a1e4700,cntx=0027628350,sesn=1a8cd632-9b18-4076-af60-3eef7af79cb4,CallingStationID=10.61.238.240, RADIUS
PACKET: Code=44 (CoAACK) Identifier=25 Length=20,RadiusClientHandler.cpp:49
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
What we have on ISE for posture - Policy
Authorization policy troubleshooting:
2022-10-23 12:22:44,066 DEBUG [Thread-253][] cisco.cpm.posture.pip.PostureStatusPIP -::::- PostureStatusPIP for mac 00-0C-29-A6-39-
CD - Attribute Session.PostureStatus value is Unknown
2022-10-23 12:52:31,559 DEBUG [Thread-616][] cisco.cpm.posture.pip.PostureStatusPIP -::::- fast reconnect is enabled
2022-10-23 12:52:31,590 DEBUG [Thread-616][] cisco.cpm.posture.pip.PostureStatusPIP -::::- the posture expiry value is null
2022-10-23 12:52:31,590 DEBUG [Thread-616][] cisco.cpm.posture.pip.PostureStatusPIP -::::- PostureStatusPIP for mac 00-0C-29-A6-39-
CD - Attribute Session.PostureStatus value is Unknown
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
What we have on ISE for posture - Provisioning
Client Provisioning Troubleshooting
Target files are ise-psc and guest.log (here specifically we see agent exchanges with ISE):
Use EP MAC or IP as a search key, add data/time to focus on specific posture attempt.
Start from
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
What we have on ISE for posture - Posture
If you need to debug posture events
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Contractors – Agent
Stealth
Contractor: External Data Source – AD
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Agent Stealth - Contractors
Client Provisioning AD: Agent Stealth
Condition
Device ID
Attribute
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Small Branch – Agentless
based
Agentless: Small Branch
Client Provisioning
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Agentless: Failure Flow
Session-AgentlessFlowStatus
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Agentless: Failure Flow
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Agentless: Failure Flow #2
Client Provisioning for the failure flow
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Agentless Posture: Policy
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Agentless: Troubleshooting, our tools
ISE
Posture Report
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
ISE posture related debugs
ise-psc.log
▪ Processing of initial and final posture report Search Keys
guest.log
▪ Session lookup process when Discovery probe has
Search Keys
reached PSN without redirect
One from list (order defines priority):
▪ Client provisioning policy selection
▪ EP MAC, Endpoint IP, username
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Agentless: Common issues #1
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Agentless: Common issues #1
Port 5985
Firewall ACL/DACL
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Agentless: common issues #2
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Agentless: Common issues #2
HTTP 401
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Agentless: Common issues #2
HTTP 401
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Implementation caveats recap
Client provisioning per user group Policy Authorization per user group
AD: group 1
Authorization Temporal
Policy
AD: group 2
ISE Agentless
Agent
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Key Takeaways
Time Protection
Visibility
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Vigilance on what is on your network
is just as important as who is on the
network. Therefore, posture is so
important.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Continue Your Education
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-
catalog.html
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
MTS – Meet the Speaker – Area 2
Let’s continue the discussion/Q&A
Tuesday, Feb 7 12:20 -12:50 PM
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Next action
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Thank you